#!/usr/local/lua52/bin/lua
--
-- Example self-signed X.509 certificate generation.
--
-- Skips intermediate CSR object, which is just an antiquated way for
-- specifying subject DN and public key to CAs. See API documentation for
-- CSR generation.
--

local keytype = ...

local openssl = require"openssl"
local pkey = require"openssl.pkey"
local x509 = require"openssl.x509"
local name = require"openssl.x509.name"
local altname = require"openssl.x509.altname"

-- generate our public/private key pair
local function genkey(type)
	type = string.upper(type or (not openssl.NO_EC and "EC") or "RSA")

	if type == "RSA" then
		return pkey.new{ type = "RSA", bits = 1024 }
	elseif type == "DSA" then
		return pkey.new{ type = "DSA", bits = 1024 }
	else
		return pkey.new{ type = "EC", curve = "prime192v1" }
	end
end

local key = genkey(keytype)

-- our Subject and Issuer DN (self-signed, so same)
local dn = name.new()
dn:add("C", "US")
dn:add("ST", "California")
dn:add("L", "San Francisco")
dn:add("O", "Acme, Inc")
dn:add("CN", "acme.inc")

-- our Alternative Names
local alt = altname.new()
alt:add("DNS", "acme.inc")
alt:add("DNS", "*.acme.inc")

-- build our certificate
local crt = x509.new()

crt:setVersion(3)
crt:setSerial(47)

crt:setSubject(dn)
crt:setIssuer(crt:getSubject())
crt:setSubjectAlt(alt)

local issued, expires = crt:getLifetime()
crt:setLifetime(issued, expires + 60) -- good for 60 seconds

crt:setBasicConstraints{ CA = true, pathLen = 2 }
crt:setBasicConstraintsCritical(true)

crt:setPublicKey(key)
crt:sign(key)

print(crt:text())
